diff --git a/sql/log_event.cc b/sql/log_event.cc index 3e717ce4d6ca75c69ef11695648df52593e3873c..62a3658bc9fd403c5bd0923692f9455404714161 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -207,14 +207,17 @@ Log_event* Log_event::read_log_event(FILE* file, pthread_mutex_t* log_lock) return NULL; } -Log_event* Log_event::read_log_event(const char* buf, int max_buf) +Log_event* Log_event::read_log_event(const char* buf, int event_len) { - + if(event_len < EVENT_LEN_OFFSET || + (uint)event_len != uint4korr(buf+EVENT_LEN_OFFSET)) + return NULL; // general sanity check - will fail on a partial read + switch(buf[EVENT_TYPE_OFFSET]) { case QUERY_EVENT: { - Query_log_event* q = new Query_log_event(buf, max_buf); + Query_log_event* q = new Query_log_event(buf, event_len); if (!q->query) { delete q; @@ -226,7 +229,7 @@ Log_event* Log_event::read_log_event(const char* buf, int max_buf) case LOAD_EVENT: { - Load_log_event* l = new Load_log_event(buf, max_buf); + Load_log_event* l = new Load_log_event(buf, event_len); if (!l->table_name) { delete l; @@ -238,7 +241,7 @@ Log_event* Log_event::read_log_event(const char* buf, int max_buf) case ROTATE_EVENT: { - Rotate_log_event* r = new Rotate_log_event(buf, max_buf); + Rotate_log_event* r = new Rotate_log_event(buf, event_len); if (!r->new_log_ident) { delete r; @@ -247,9 +250,9 @@ Log_event* Log_event::read_log_event(const char* buf, int max_buf) return r; } - case START_EVENT: return new Start_log_event(buf); - case STOP_EVENT: return new Stop_log_event(buf); - case INTVAR_EVENT: return new Intvar_log_event(buf); + case START_EVENT: return new Start_log_event(buf); + case STOP_EVENT: return new Stop_log_event(buf); + case INTVAR_EVENT: return new Intvar_log_event(buf); default: return NULL; } @@ -357,12 +360,12 @@ Start_log_event::Start_log_event(const char* buf) :Log_event(buf) created = uint4korr(buf + 2 + sizeof(server_version)); } -Rotate_log_event::Rotate_log_event(const char* buf, int max_buf): +Rotate_log_event::Rotate_log_event(const char* buf, int event_len): Log_event(buf),new_log_ident(NULL),alloced(0) { - ulong event_len; - event_len = uint4korr(buf + EVENT_LEN_OFFSET); - if(event_len < ROTATE_EVENT_OVERHEAD || event_len > (ulong) max_buf) + // the caller will ensure that event_len is what we have at + // EVENT_LEN_OFFSET + if(event_len < ROTATE_EVENT_OVERHEAD) return; ident_len = (uchar)(event_len - ROTATE_EVENT_OVERHEAD); @@ -415,16 +418,15 @@ Query_log_event::Query_log_event(FILE* file, time_t when_arg, *((char*)query + q_len) = 0; } -Query_log_event::Query_log_event(const char* buf, int max_buf): +Query_log_event::Query_log_event(const char* buf, int event_len): Log_event(buf),data_buf(0), query(NULL), db(NULL) { + if (event_len < QUERY_EVENT_OVERHEAD) + return; ulong data_len; buf += EVENT_LEN_OFFSET; - data_len = uint4korr(buf); - if (data_len < QUERY_EVENT_OVERHEAD || data_len > (ulong) max_buf) - return; // tear-drop attack protection :) + data_len = event_len - QUERY_EVENT_OVERHEAD; - data_len -= QUERY_EVENT_OVERHEAD; exec_time = uint4korr(buf + 8); error_code = uint2korr(buf + 13); @@ -603,7 +605,7 @@ Load_log_event::Load_log_event(FILE* file, time_t when, uint32 server_id): fname_len = data_len - 2 - db_len - table_name_len - num_fields - field_block_len; } -Load_log_event::Load_log_event(const char* buf, int max_buf): +Load_log_event::Load_log_event(const char* buf, int event_len): Log_event(when,0,0,server_id),data_buf(0),num_fields(0),fields(0), field_lens(0),field_block_len(0), table_name(0),db(0),fname(0) @@ -611,14 +613,12 @@ Load_log_event::Load_log_event(const char* buf, int max_buf): { ulong data_len; - if((uint)max_buf < (LOAD_EVENT_OVERHEAD + LOG_EVENT_HEADER_LEN)) + if(event_len < (LOAD_EVENT_OVERHEAD + LOG_EVENT_HEADER_LEN)) return; buf += EVENT_LEN_OFFSET; - data_len = uint4korr(buf); - if((uint)data_len > (uint)max_buf) - return; + data_len = event_len; thread_id = uint4korr(buf+4); exec_time = uint4korr(buf+8);